Checkpoint R75 Lab Manual
87
CHECKPOINT FIREWALL VERSION: R75 LAB GUIDE
Transcript of Checkpoint R75 Lab Manual
CHECKPOINT FIREWALL VERSION: R75
LAB GUIDE
Installation Type - SPLAT Checkpoint Installation is accomplished in multiple ways which includes Installing Checkpoint on Secure Platform, on Windows Operating System or on Nokia Hardware. Here we discuss the SPLAT (Secure Platform) Installation in a Step by Step process. On the machine where SP
Once you hit Enter the Installation process starts,
Use Tab key to select OK and hit enter,
Language in which Checkpoint needs to be installed is selected, here we select US (i.e. English)
Here we see listed two Interfaces eth0 and eth1 present on our device on which Checkpoint is installed One of the interface is selected for configuration, below we select eth0
Configure IP address for the selected eth0 interface, default gateway information can be left empty since we
Select OK and hit enter,
Checkpoint will start Formatting process of the machine’s Hard Drive, select OK and Hit Enter
Checkpoint has finished copying files on the Hard Drive, select OK and hit enter
Firewall will reboot and get you to the login screen,
First time login will use default Username and Password as below: Username: admin Password: admin
Once default credentials are entered, a new Password and username needs to be created as shown above. By now all the necessary Checkpoint files has been copied on the secure platform, to complete the initial Network and other configuration open up a browser and connect using the URL shown in the snapshot as an example
Open a Browser and launch the Web User GUI login page
After accepting the license agreement, login page comes up. Use the credentials created on the first time CLI login
Click next,
Click on the eth1 which we want to use as external interface and assign it an ip address
Once IP address is assigned to eht1, click next to continue configuration
Assign a Default route address for the firewall as below
Once ip address is entered, click on apply
Default route will be listed in the Routing table
Entering the DNS server information, Hostname of the Firewall and selecting the Management interface
Here we go for manual settings, NTP server can also be used for this purpose,
Specifying the clients/network to access the firewalls management interface
Now when you click on Any, it will edit the network/host properties as below, here we specify a machine
ip address which is allowed to connect to the firewall management interface
Select the Checkpoint products you wish to install,
Here we select this as a Primary Firewall
Specify the clients who can access the Firewall GUI (Smart Dashboard)
Define an Administrator Username and Password to access the Firewall GUI
Click next to continue configuration,
This completes the Initial setup of Checkpoint Firewall, now checkpoint will be start the configuration process
Click Yes,
Once you click OK, you will be redirected to the Web User Interface.
Click on Product Configuration to download the Smart console for accessing Security Management GUI
Once the download completes, install the smart console application. Note: Microsoft .Net version 2 is required on the machine where SmartConsole is being installed
Now you can login to the Firewall CLI and check for the Routing part, both towards External side and Internal side, making sure Internet and LAN are reachable from within the Firewall
Launch the smart Dashboard and login using the credentials created in web user interface configuration wizard,
Click Yes and Smart Dashboard starts loading up.
Smart Dashboard has a left panel which is called as Object Tree which holds multiple tabs within it and the right panel holds the Security policies created
Select the Network Objects tab from the left panel (the first tab), expand Checkpoint and right click on the cpmodule and click on Edit,
A new window opens up,
Go to Topology option and there click on Get – Interfaces with Topology
Click Yes
Click on Accept, once done identify the difference between external and internal networks as shown below,
In the options on the top, click on policy and select the Global Properties,
Select the below options to enable the ICMP requests which are blocked by default
Stealth Rule and Cleanup Rule Click on the Rules Options to add a rule in the Smart Dashboard
This Rule can be edited as per the requirement
The First rule should always be the Stealth Rule and the last rule is the Clean Up Rule. Source will be ANY
Expand the Destination part and select Firewall for the stealth rule
Right click on the Track part and select Log,
Stealth Rule should look like this,
Create Clean Up rule in the similar way as shown above. It should look like this,
Creating Administrative Profiles
Select the Users tab from the left panel, right click on the Administrators container and select the new
Administrator
Specify the username for the type of Admin, in the below example we are creating a Read-Only Admin
Click on New and create a Permissions profile for this Admin user
Go to Authentication tab and select the type of authentication, in this case we are using Checkpoint
password which will store the Admin user credentials on Checkpoint Firewall locally,
This user has to be added to a Group and we create a Group from the same Users tab under
Administrator Group container as below
Name the Group accordingly and add the user into the group
If you want to create a user with Read/Write permissions, a Read-Write permissions profile has to be
created with Full access or with a customized access as shown below
HIDE NAT On the left panel, Network Objects tab which is the first tab, right click on Networks and select Network
A new window pops up, under the General Tab, specify the Name, Network Address, Net Mask and switch to NAT tab
Select Add automatic address rules and Hide behind Gateway option
You can see the LAN_Network object created
Create two new rules, add the source as LAN_NETWORK and destination ANY for any Service whereas in the next rule let the source and destination be Any and the service to be http
The Hide NAT rule should look as below,
To push the Configuration from Management Console to the Firewall Module, from the top menu options, select Policy and click on Install.
This displays the available Firewall Modules (if multiple firewall modules are present, here as of now only one), Selece the Firewall module and clock on OK. It starts installing the policies and configuration to the selected firewall module
If all the configurations and policies installed are proper then it will shows Installation completed successfully.
STATIC NAT To configure the STATIC NAT we require two nodes, one for the available public ip and another for the internal private ip of the Server (It can be any server like web, ftp, smtp etc...) On the left panel, Network Objects tab which is the first tab, right click on Nodes and select Host
Specify the name and ip address of the Server in use
On the NAT tab select Add Automatic Translation rules and specify the free Public address available,
Creat another Node in the same way as explained above,
Both the newly created nodes appear under the Nodes option
Rules should look like as shown below,
Static NAT for different Services
To perform Static NAT behind a single Public IP to different Private IP’s in a DMZ based upon the
services, we look at a sample configuration. In the below example, Go to NAT tab and add manual static
NAT rules according to the requirement.
Below example shows the Manual Hide NAT configuration, once you drag and drop the public server
object a window pops up asking to choose from the two options as shown below,
The Manual Hide NAT rule looks as below,
Authentication Select the Users tab from the left panel, right click on the Users container and select the new user and the default option
Specify the login username on the General Tab as shown below,
Go to Authentication Tab and select Check Point Password
Fill in the password fields ,
Now we create group and add user in this group. On the left panel users tab, right click the User Groups container and click on New Group
Specify the Group name
Select each user and add them to the group, including generic user
The user is added into the group and we can see the Group Lan_Users_Group displayed in the left panel
Creating Rule: A new rule should be created between stealth and clean up rule as shown below, Right click on the Source section and select Add User/Access Rule option,
Specify the name and select Specific networks option.
Add the LAN_NETWORK under specific networks and click OK.
Select the service according to the authentication scheme and on the actions tab right click go to Legacy and select User Auth
Once rule is created, under Action double click on the User Auth select All Servers. Install the Policy to enable authentication.
External authentication:
We look at the example of enabling authentication using TACACS+ server as an external source. To create TACACS+ server on checkpoint first we create a Node . In the Network Objects tab create a node, defining the IP address of the TACACS+ server
Once done you will see TACACS+ server listed under Nodes option
Go to Server and OPSEC Applications tab, right click on the Servers option, select New and click on TACACS
Specify a name for the TACACS+ Server and for the Host option select the node that was created to specify the TACACS+ Server and select the type as TACACS+ and mention the secret key
Now on the Left panel users Tab, right click on External User Profiles go to New External User Profile and select Match all users
A new window opens up,
Go to Authentication tab and select TACACS as the Authentication Scheme:
Create a General user on the left panel users, we already have a user created, right click the username and click on Edit
A window opens up, go to Authentication and select the Authentication scheme as TACACS and select the TACACS Server
Creating Rule: Create the rule as explained in the User authentication process, Select the service according to the authentication scheme and on the actions tab right click go to Legacy and select Session Auth
The rule should look as below,
Now we go got client auth, here we need a client software to be installed on the users machine for auth to happen, the configuration required to setup will be same as explained above, the action tab will be having Client Auth in it. To see the sub configuration under the Client auth you need to double click on it and configure accordingly.
The rule should look as below,
Active Directory Integration with Checkpoint
To setup authentication using the user information stored in the LDAP server, the configuration is as
below:
This opens a new window as below; where we need to create a new template
Provide name for the Template and select the auth as checkpoint password
We can see that a new template by name LDAP_Template is listed as below:
Create LDAP Server Node under the objects tree
Provide the necessary details for the creation of LDAP server node
Create an LDAP account unit under the servers tab
Provide the necessary details for the LDAP account unit and make sure that Microsoft_AD is selected
from the dropdown and provide the domain name on which LDAP server is configured
Under the Servers tab of LDAP account unit, provide the LDAP server admin user name and password.
Login DN contains the info as below: CN=administrator,CN=users,DC=netmetric,DC=com
Once completed LDAP server will be listed as below
Go to Objects management Tab and click on Fetch branches, by doing this the Domain information will
be pulled from the LDAP server
Under Authentication tab, select the LDAP template which was created initially
Go to Manage > Users and Administrators and create a new LDAP group
Under the account unit of this LDAP group, Select the LDAP Account unit we create above
We can see new objects for LDAP Template, LDAP Group and LDAP account unit are created under the
objects tree
Write a Rule by specifying the LDAP group under the source column as below
If we want a session authentication agent to pop up on the users machine upon the authentication
challenge, the client Auth settings will be as below, this window opens after double clicking on the client
auth under action tab as below:
IPSec VPN
To configure the IPSec VPN we need to go to Network Objects tab, right click the CP module and click on Edit
Enable the IPSec VPN option under Network Security tab,
To create an IPSec VPN between Checkpoint Firewalls right click on Checkpoint under Network objects and select Externally Managed VPN Gateway
A new window opens up, enter the Remote Checkpoint Gateway name and its ip address and verify the OS option, in this case we are using SecurePlatform (in short SPLAT)
Go to the Topology option, select Manually defined and select the remote network object
You will see a new Gateway created under the Network objects,
To create a VPN between Checkpoint and non checkpoint firewall, right click on the Network objects and uncheck Do not show empty folders
Right click on the Interoperable Devices and click on Interoperable Device,
A window opens up, Specify the name and ip address of the remote firewall
Go to Topology option and select Manually defined and select the remote network object
Now, we can see the non checkpoint firewall listed under Interoperable Devices,
Select the VPN community tab and right click on Site to Site, go to New Site to Site and click on Meshed
A window opens up, specify the community name,
On the Participating tab, click on Add and select all the Firewalls,
On the Encryption tab, select the appropriate Encryption Method and Encryption Suite
Under the Shared Secret tab, select each firewall and click on Edit and specify the shared secret key
Under Advanced VPN options, select the appropriate DH groups and check Disable NAT inside the VPN community
Create a Rule above the Stealth Rule and specify source and destination, under VPN section right click and select Edit cell
Select, only connections encrypted in specific VPN communities
Policy should look like this, Note: This security policy comes above the Stealth Rule.
Remote Access SSL VPN
To configure the Remote Access VPN we need to go to Network Objects tab, right click the CP module and click on Edit
Enable the Mobile Access option under Network Security tab,
Once you click on the Mobile access option, below window pops up
Selecting a Demo application for testing
Creating a Test User
Specifying a URL to be used for a Remote Access VPN connection
Write a Policy as shown below,
